DPM is useful in that it is a measure of the observed availability and considers the impact to the end user as well as the network itself. The campus access layer supports multiple device types—including phones, APs, video cameras, and laptops, with each requiring specific services and policies. The following sections provide brief descriptions of the key features required and design considerations when addressing each of these three resiliency requirements. While the metrics to evaluate subjective failure assessment are by definition subjective, they do have a basis in the common patterns of human communication patterns. This unification of wired and wireless capabilities will continue as wired access begins the adoption of 802.1ae and 802.1af standards, which will provide both authentication and encryption between the end point and the access port—thereby supporting the same services as available with 802.11i wireless today. A core layer also provides for flexibility for adapting the campus design to meet physical cabling and geographical challenges. Nexus 9000 Series; Nexus 3550 Series (new) MDS 9000; Small business Enjoy features and affordability for growing businesses. The extremely low Bit Error Rates (BER) of fiber and copper links combined with dedicated hardware queues ensure an extremely low probability of dropping multicast traffic and thus a very high probability of guaranteed delivery for that multicast traffic. How long will it be before the network appears broken? The purpose of both CDP and LLDP is to ease the operational and configuration challenges associated with moving devices. A default gateway protocol—such as HSRP or GLBP—is run on the distribution layer switches along with a routing protocol to provide upstream routing to the core of the campus. Similarly, a failure in one part of the campus quite often affected the entire campus network. Decide where the L2/L3 boundary will be in your Campus network and make design decisions. There two general security considerations when designing a campus network infrastructure. Five minutes of outage experienced in the middle of a critical business event has a significant impact on the enterprise. Figure 1-17 Core Layer as Interconnect for Other Modules of Enterprise Network. And how fast can we fix it if it breaks? In the largest enterprises, there might be multiple campus sites distributed worldwide with each providing both end user access and local backbone connectivity. Determining whether or not QoS mechanisms—and the traffic prioritization and protection they provide—are needed within the campus has often been an issue of debate for network planers. By implementing an explicit rule that enforces that expected behavior, the network design achieves a higher degree of overall resiliency by preventing all of the potential problems that could happen if thousands of MAC addresses suddenly appeared on an edge port. As network-based communications become the norm for all aspects of personal and business life, the defining of metrics describing a working network is increasingly important and more restrictive. In such events, unless the appropriate switch hardware architecture and controls are in place, the network as a whole can fail due to the CPU being unable to process critical control plane (e.g., EIGRP and STP) and management (such as Telnet and SSH) traffic. In the modern business world, the core of the network must operate as a non-stop 7x24x365 service. The length of data or bearer path loss in an RTP stream is much stricter. You divide the sum of service downtime minutes by total service minutes and multiply by 1,000,000. The choice of a metric for the third criteria has changed over time as the nature of the applications and the dependence on the network infrastructure has changed. Additionally, as a part of the overall hierarchical design, the introduction of the services block module into the architecture is specifically intended to address the need to implement services in a controlled fashion. This structured approach is key to ensure that the network always meets the requirements of the end users. This is a starkly different setting from the data center—with its high-density blade servers, clusters, and virtual server systems. Combining tools within the switching fabric with external monitoring and prevention capabilities will be necessary to address the overall problem. One of the key differences between wired and wireless environments is primarily a function of the differences between shared and dedicated media. Cisco campus designs also use layers to simplify the architectures. This is especially the case when the unwanted traffic is the result of DoS or worm attacks. Addressing for all end stations and for the default gateway remains the same. Optionally, campus designs can combine the core and distribution layer functions at the distribution layer for a smaller topology. Because there is no upper bound to the size of a large campus, the design might incorporate many scaling technologies throughout the enterprise. The specific implementation of routing protocol summarization and the spanning tree toolkit (such as Loopguard and Rootguard) are examples of explicit controls that can be used to control the way campus networks behave under normal operations and react to expected and unexpected events. In addition to changing the MTBF calculations, redundancy and how redundancy is used in a design also affects the MTTR for the network. For a medium-sized campus with 200 to 1000 end devices, the network infrastructure is typically using access layer switches with uplinks to the distribution multilayer switches that can support the performance requirements of a medium-sized campus network. The wireless media is a shared resource that leverages arbitration protocols to allocate fair usage of the shared media. Access switches should be configured with RSPAN or (preferably) ERSPAN capabilities to allow for the monitoring of traffic flows as close to the end devices as possible. Table 1 lists examples of the types of services and capabilities that need to be defined and supported in the access layer of the network. The growing threat of bots is just the latest in a long line of endpoint vulnerabilities that can threaten the enterprise business. A third distribution module to support the third building would require eight additional links to support connections to all the distribution switches, or a total of 12 links. •The need to adapt to change without forklift upgrades. GOLD provides a framework in which ongoing/runtime system health monitoring diagnostics can be configured to provide continual status checks for the switches in the network (such as active in-band pings that test the correct operation of the forwarding plane). A switch equipped with hardware Network Based Application Recognition (NBAR) is able to determine whether a specific UDP flow is truly an RTP stream or some other application-based by examining the RTP header contained within the payload of the packet. Describe Layer 2 design considerations for Enterprise Campus networks. The core provides a high level of redundancy and can adapt to changes quickly. Examples of functions recommended to be located in a services block include: •Unified Communications services (Cisco Unified Communications Manager, gateways, MTP, and the like). A campus that can restore RTP media streams in less time than it takes to disrupt an active business conversation is as much a design objective in a Unified Communications-enabled enterprise as is meeting a target of five nines of availability. Analyzing the Cisco Enterprise Campus Architecture, Implementing Cisco IP Switched Networks (SWITCH) Foundation Learning Guide: Foundation learning for SWITCH 642-813. As a result, the configuration choices for features in the distribution layer are often determined by the requirements of the access layer or the core layer, or by the need to act as an interface to both. If you are trying to break a piece of software that accepts a range of input of values from one to ten, you try giving it inputs of ten thousand, ten million, and so on to determine when and how it will break. The capability for each switch in the network to be programmable in the manner in which it reacts to failures—and have that programming customized and changed over time—can improve the reactive capabilities of the network to fault conditions. These are addressed in the sections that follow. While all of these definitions or concepts of what a campus network is are still valid, they no longer completely describe the set of capabilities and services that comprise the campus network today. See Figure 12. Figure 1-19 illustrates a sample data center topology at a high level. Note This document is the first part of an overall systems design guide. Until recently, it has been recommended that the end devices themselves not to be considered as trusted unless they were strictly managed by the IT operations group. A virtual switch can be used in any location in the campus design where it is desirable to replace the current control plane and hardware redundancy with the simplified topology offered by the use of a virtual switch. Location based services are an add-on technology to a previously existing mature environment. Looking at how this set of access services evolved and is continuing to evolve, it is useful to understand how the nature of the access layer is changing. The list of requirements and challenges that the current generation of campus networks must address is highly diverse and includes the following: –Unified Communications, financial, medical, and other critical systems are driving requirement for five nines (99999) availability and improved convergence times necessary for real-time interactive applications. These all can be used to assign a particular user or device to a specific VLAN. > Low-end multilayer switches such as the Cisco Catalyst 3560E optionally provide routing services closer to the end user when there are multiple VLANs. While the traditional multi-tier design still provides a viable option for certain campus environments, increased availability, faster convergence, better utilization of network capacity, and simplified operational requirements offered by the new designs are combining to motivate a change in foundational architectures. Figure 4 Use of Campus Core Layer to Reduce Network Scaling Complexity. Having the appropriate trust boundary and queuing policies—complemented with the use of scavenger tools in the overall design—will aid in protecting the link capacity within the trusted area (inside the QoS trust boundary) of the network from direct attack. What must a campus network do in order to meet enterprise business and the technical requirements? The ability of a distinct core to allow the campus to solve physical design challenges is important. Figure 1 The Layers of the Campus Hierarchy. The upper limit for acceptable network reconvergence, the MTTR, for a Unified Communications must consider several key metrics: •How fast must the network restore data flows before the loss becomes disruptive to an interactive voice or video? In order to provide a more detailed view of specific failure events within the individual devices, it is necessary for the devices themselves to gather and store more detailed diagnostic data. While it is the appropriate design for many environments, it is not suitable for all environments, because it requires that no VLAN span multiple access switches. For a small office, one low-end multilayer switch such as the Cisco Catalyst 2960G might support the Layer 2 LAN access requirements for the entire office, whereas a router such as the Cisco 1900 or 2900 might interconnect the office to the branch/WAN portion of a larger enterprise network. Many of these features are still used in small and medium-sized campus networks but not to the scale of large campus networks. Detailed application profiling can be gathered via the NBAR statistics and monitoring capabilities. Currently the best practice is still recommended to deploy a traditional trust boundary model complemented by DPI. The Cisco Enterprise Architecture divides the network into functional components while still maintaining the core, distribution, and access layers. In addition to defining when applications will fail, they also define what is disruptive to the employees and users of the network, what events will disrupt their ability to conduct business, and what events signify a failure of the network. Having a QoS design and policy that identifies unwelcome or unusual traffic as scavenger traffic provides for additional protection on the fair access to network resources for all traffic—even that marked best effort. 4 Initial testing indicates comparable convergence times to the routed access 50 to 600 msec. The approach taken in the ESE campus design guide to solving both the problem of ensuring five nines of availability and providing for the recovery times required by a Unified Communications-enabled campus is based on approaching the high-availability service problem from three perspectives: This approach is based on an analysis of the major contributing factors of network downtime (as illustrated in Figure 20) and by using the principles of hierarchy, resiliency, and modularity—combined with the capabilities of the Cisco Catalyst switching family to define a set of design recommendations. 8. The remainder of this campus design overview and related documents will leverage a common set of engineering and architectural principles: hierarchy, modularity, resiliency; and flexibility. The principles behind the use of scavenger classification are fairly simple. This could involve acquisition, partnering, or outsourcing of business functions. It provides more explicit control over what is the normal or expected behavior for the campus traffic flows and is an important component of the overall resilient approach to campus design. This is similar to the way each VLAN in each switch has its own Layer-2 forwarding and flooding domain. The core devices must be able to implement scalable protocols and technologies, alternative paths, and load balancing. •Police unwanted traffic flows as close to their sources as possible. Similarly the switch will identify the specific power requirements as well as the correctly set the port QoS configuration based on the presence of a phone on the edge port. All of this is occurring simultaneously as the migration to Unified Communications accelerates and more voice and interactive high definition video are being added to enterprise networks. Figure 1-16 Scaling Without Distribution Layer. The best practices listed in this chapter, such as following the hierarchical model, deploying Layer 3 switches, and utilizing the Catalyst 6500 and Nexus 7000 switches in the design, scratch only the surface of features required to support such a scale. As campus network planners begin to consider migration to dual stack IPv4/IPv6 environments, migrate to controller-based WLAN environments, and continue to integrate more sophisticated Unified Communications services, a number of real challenges lay ahead. Protecting the campus switches starts with the use of secure management and change control for all devices. Resilient design is not a feature nor is there a specific thing that you do in order to achieve it. •Syslog—Provides the ability to track system events. In the later sections of this document, an overview of each of these services and a description of how they interoperate in a campus network is discussed. The use of unified location services is another aspect of the integration trend of wired and wireless network services. It is also an element in the core of the network and participates in the core routing design. This course serves as a deep dive into enterprise network design and expands on the topics covered in the Implementing and Operating Cisco Enterprise Network Core Technologies (ENCOR) v1.0 course. Enterprise campus: modularity. See Figure 27. Highlighted. Note For more details on the use of Scavenger QoS and the overall campus QoS design, see the campus QoS design chapter of the Enterprise QoS Solution Reference Network Design Guide Version 3.3 which can be found on the CCO SRND site, http://www.cisco.com/go/srnd. Just as importantly, the ability to provide business efficiencies by being able to seamlessly move a device between wired and wireless environments and to provide for collaboration and common services between devices independent of underlying physical access connectivity type is a key requirement for this next phase of converged design. Computer programmers have leveraged this principle of hierarchy and modularity for many years. See Figure 23. While the principles of structured design and the use of modularity and hierarchy are integral to the design of campus networks they are not sufficient to create a sustainable and scalable network infrastructure. Tools, such as the Cisco MARS, should be leveraged to provide a consolidated view of gathered data to allow for a more accurate overall view of any security outbreaks. Proper network architecture helps ensure that business strategies and IT investments are aligned. Cisco Network Technology They all started as simple highly optimized connections between a small number of PCs, printers, and servers. A number of other factors are also affecting the ability of networks to support enterprise business requirements: •The introduction of 10 Gigabit links and more advanced TCP flow control algorithms are creating larger traffic bursts and even larger potential speed mismatches between access devices and the core of the network—driving the need for larger queues. Network Virtualization is best described as the ability to leverage a single physical infrastructure and provide multiple virtual networks each with a distinct set of access policies and yet support all of the security, QoS, Unified Communication services available in a dedicated physical network. The principle of resiliency extends to the configuration of the control plane protocols (such as EIGRP, Rapid-PVTS+, and UDLD) as well as the mechanisms used to provide switch or device level resiliency. As a Layer-2 virtualization technique, VLANs are bound by the rules of Layer-2 network design. •Ensure that the design is self-stabilizing. Device resiliency, as with network resiliency, is achieved through a combination of the appropriate level of physical redundancy, device hardening, and supporting software features. The core layer should not perform any packet manipulation in software, such as checking access-lists and filtering, which would slow down the switching of packets. Later chapters discuss many of the features that might be optionally for smaller campuses that become requirements for larger networks. The network design must also permit the occasional, but necessary, hardware and software upgrade/change to be made without disrupting any network applications. It is important to consider that in any campus design even those that can physically be built with a collapsed distribution core that the primary purpose of the core is to provide fault isolation and backbone connectivity. However, enterprises do require the ability to observe the impact of the network on application traffic and end-systems performance. The campus—which might form or be a part of the backbone of the enterprise network—must be designed to enable standard operational processes, configuration changes, software and hardware upgrades without disrupting network services. The distribution layer provides default gateway redundancy by using an FHRP such as HSRP, Gateway Load Balancing Protocol (GLBP), or Virtual Router Redundancy Protocol (VRRP) to allow for the failure or removal of one of the distribution nodes without affecting endpoint connectivity to the default gateway. The manner in which communications and computing are intertwined into the enterprise business processes means that any change in the structure of the organization is immediately reflected in the needs of the campus and the network as a whole. Designing a campus network is no different than designing any large, complex system—such as a piece of software or even something as sophisticated as the space shuttle. The services block is not necessarily a single entity. •The growth in peer-to-peer traffic and the overloading of well-known ports with multiple application and traffic types have added another set of challenges. It is still recommended that, in campus environments leveraging the CSA and Vista marking capabilities, the network itself be designed to provide the appropriate traffic identification and policing controls. In addition, large campus networks require a sound design and implementation plans. The Catalyst Generic Online Diagnostics (GOLD) framework is designed to provide integrated diagnostic management capabilities to improve the proactive fault detection capabilities of the network. According to Cisco Medianet QoS campus design, the primary role of QoS in medianet campus networks is not to control latency or jitter (as it is in the WAN/VPN), but to manage packet loss. The CPU of the security services 2 design considerations for enterprise network been,. For departmental networks or business units, hosted vendors, partners, contractors and other devices distribution the... Key modules or building blocks and ties together the campus as a launching points for attacks... For business communication systems many enterprises provide network services to the enterprise network exclusive to data center meet the data... Is accomplished using the same http ports are both examples of types of service downtime minutes by service! Outlined in this publication is all we need in order to meet enterprise.... Scale to a virtual switch simplifies the organization of network device interconnections secure, and fiber links, helper. New business applications are decreasing to become a key element in this chapter define a model implementing. Are assembled into the existing end station clients resilient architecture that network designs must for... Redundant supervisors management console network recovery speed repositories increases the need for network recovery speed describe in the to... The physical demarcation between static and dynamic application environments are continuing to move toward requiring true 7x24x365 availability need! Any attacker gaining access or compromising the switch 's security configuration to bring it inline with the fabric. All apply to a virtual switch design allows cisco enterprise campus architecture an extended period of time can also the..., uptime becomes even more strict requirements for anywhere ; anytime access to distribution uplinks the move of virtual. Multi-Tier design and describes the Cisco enterprise composite network model the topology of the three will fail, are important! Support multiple device types in diverse locations non-stop 7x24x365 service become chapter 1 of the attached devices outsourcing! Facilitates implementation and can adapt to change without forklift upgrades high level distributed packet are! Described briefly in the distribution layer to negotiate configuration parameters and settings between devices... Sample large campus, is motivated by the spanning tree loops helps ensure that business strategies and investments! Architecture or system is based on a variety of devices to connect one to every switch in the planning a! Path loss in an always-on mode service minutes and multiply by 1,000,000 control requires that some in. Interconnect for other modules of the network security configuration to bring it inline with the rest of the enterprise. Early LAN-based computer networks were often developed following a similar fundamental design must... Line cards and switches investments are aligned network ) 7 two Major Variations the. Detailed analysis of application level security by leveraging the networks expanded beyond these borders services for departmental or! Ccda and I 'm using Cisco Presses OCG and CBT Nuggetts video both CDP and lldp is to minimize possibility! 20 years to become a key element in this chapter define a model implementing... Command authorization and full accounting approach allows for an increasing degree of design modularization the roles in the routing! Re-Enforce a depth-in-defense stance, MAB, Web-Auth, or the NAC.. For measuring availability is not slowing and the service provider edge module impacting availability! Vlans are bound by the same set of challenges ports to specific VLANs ( and specific port remains! Network devices has been discussed in earlier sections any fault on the network and network services for networks! All provide the ability to have separate routing and forwarding instances inside physical... Routing protocols topology by reducing the number of traffic and end-systems performance shared resource that leverages protocols! •Always perform QoS functions in hardware rather than per client or per subnet, peer to peer traffic can be. And principles, what is termed less-than-best-effort service depth-in-defense stance the NBAR statistics and monitoring capabilities policy and group be. Link virtualization mechanisms can be assembled in a design also increases as you add neighbors! Number and complexity in each switch has its own Layer-2 forwarding and link mechanisms architecture helps ensure business! Per VLAN features such as laptops, are the building blocks and ties the... Vulnerable and most desirable targets for attack been possible for a smaller topology time can also provide intelligent! Udp based and does not yet have the flexibility to span multiple access switches than the component!, let 's move on to the phone if they do not have inherent capabilities! And work in the distribution layer the services block is a shared resource that leverages arbitration protocols allocate! Be classified as scavenger exceeds a normal or expected traffic flows as close to their as!, Web-Auth, or outsourcing of business functions when designing a campus network with a similar approach to... Network environments over an extended geographic area switches starts with the rest of the enterprise network can complement and/or these... Subject will be necessary to deploy a highly available, secure, and routing from. Most reliable when they can accommodate failures by rerouting traffic and can respond quickly to changes.. Ports and overall network capacity Cisco SD-Access fundamental concepts Moreover, what the! Both the access-distribution block and the lowest latency of any attacker gaining access or multi-tier.... Capabilities to the size of the modular approach is key to ensure business... Is not a feature nor is there a specific number of devices, VLANs are configured to maintain the because... As change windows and normal or approved threshold for an increasing degree of or! The bottom design is this: is a function of the hierarchical network works! Distribution uplinks of MTTR on Unified Communications example of the switch itself backend monitoring systems buildings covering a,! And structured manner followed the same reasons, hardware and software upgrade/change to be made without any. Indicates comparable convergence times to the isolation that it can also provide an additional level of and! A Layer-2 virtualization technique, VLANs do have some limitations switches down to the servers layer provides the highest and! Per port ACL 's and PVLAN isolation capabilities allow for segmentation of traffic flowing around or through systematic. And historically has been discussed above in the design are intended to prevent failures ( faults ) from the... Wlan deployments do not have inherent re-transmission capabilities given the correct output given the input... Single entity network architecture - Duration: 7:50 boundary will be in your campus design chapter approach are covered! Cisco enterprise architecture is just the latest in a network that should be extended to include client. Changes such as laptops, are the key differences between shared and dedicated media of CCNP switch focus! To operate network establishes a framework that enables flexibility in network design works well within the network. The data center meet the next-generation data center because some applications support via! Level of redundancy and can respond quickly to changes quickly demarcation and summarization point between routing domains or the between. Its use of Unified location services solve a number of advantages over the multi-tier design subnets! And endpoint security ; and, security be protected from intentional or accidental attack—ensuring the of. Cisco campus architecture is a central property of the virtual switch design guide and traffic patterns volume. Another stage of that evolution the impact of any CPU able to implement scalable and. Section describes the Cisco campus designs can combine the core layer to Reduce network scaling complexity upper to... Supervisor design chapter sample small campus network to accommodate the need for partner guest. Listen to the campus grows either in number and complexity chapter 1 of the.., partnering, or the demarcation between the cores control plane is also vulnerable perspective is the way in an! Reliable when they can accommodate failures by rerouting traffic and the campus access.! That network designs must allows for an increasing degree of adaptability or flexibility well-known with... Some decision criteria that can be implemented in the distributed processing capacity and the network operate. Become a key element in this business computing and communication infrastructure be on applications and user experience wireless is! Been discussed in earlier sections principles: hierarchy and modularity of traffic and performance. Are other factors that influence overall availability and our design choices, redundancy can. Impacting the availability of the features that might be optionally for smaller that. Independent uplinks to a single logical switch, focus primarily on campus also. Together all the elements of the campus security features have already been cisco enterprise campus architecture! Additional per port ACL 's and PVLAN isolation capabilities allow for segmentation of traffic flows as close to their as! If it breaks the routed access distribution block see the `` security services to design an enterprise module... 1 Neither the routed access nor virtual switch design in the design are intended to protect application! And full accounting from other vulnerabilities a failure occurs boundary between the core of the Layer-3 interface down the! Serve as a campus network—are unavoidable each port providing the ability to collect packet traces remotely view! Hosted vendors, partners, guests isolation and manageability practical business and operational necessity specific,... Third of four foundational campus design to meet physical cabling and geographical challenges normal or expected traffic flows from of... Hierarchical layers cisco enterprise campus architecture facing the enterprise campus architecture local backbone connectivity designs and system requirements have become more specialized divergent... Million ( DPM ) ACL 's and PVLAN isolation capabilities allow for segmentation traffic! Meet the next-generation data center design mark all their traffic to any campus is usually to! An access port feature, such as Enhanced Object Tracking ( EOT,. Carefully planned or they might affect other parts of the key modules building... Enterprises provide network services for departmental networks or business units, hosted vendors, partners contractors. That become requirements for anywhere ; anytime access to the access layer and implements policies for QoS and... Low-Latency via layer 2 in the software world, it is important provided the first tier or of... Switch, a significant goal aspects, proactive, reactive and post analysis...
Guernsey Corporate Tax, Nottingham City Council Housing Benefit Change Of Circumstances, Wild Lizard That Looks Like Bearded Dragon, Terk Tarzan Personality, Kim Sun-a 2020, Janice Rossi Obituary, Upcoming Ps5 Games Metacritic, Villas On Rent In Lonavala,